Feature: System Administration

Running Debian GNU/Linux from an encrypted USB drive

You're probably familiar with the live CD concept -- a fully functional operating system on a CD that can be run on any computer that boots from its optical drive, without affecting the one(s) already installed. In a similar vein, you can set up Linux to run from a USB hard drive drive on any computer that can boot from USB. The live system offers automatic detection and configuration of the display adapter and screen, storage devices, and other peripherals. A bootable USB drive can run a mainstream Linux distribution such as Debian GNU/Linux, and can be secured, personalised, upgraded, and otherwise modified to suit your needs.

To try setting up a bootable USB drive, you need a computer with an Internet connection, an optical drive to boot from, and a free USB 2.0 port, to which the external USB drive should be connected. We shall employ the standard install procedure for the testing version of Debian, a.k.a. Lenny, with some minor tweaks in order make the system "live."

Download the current netinst CD image for Debian Lenny, burn it to a CD, and boot the computer with it. You'll be greeted by the Debian logo. Press Enter at the boot prompt to start the text mode Debian-Installer, or launch the graphical Debian-Installer by typing installgui at the boot prompt.

When the installer asks you to select a partitioning method, select "Guided - use entire disk and setup encrypted LVM." Shortly after that you'll be asked to select a disk to be partitioned. Be careful here -- you do not want to select the internal hard disk. The external disk will be listed as a SCSI device, and it will not be the first device on the list.

You will then be asked to specify the partitioning scheme. Select "All files in one partition (recommended for new users)." The installer will ask for your confirmation before it erases the contents of the selected disk. This process is required before encryption, and may take a long time to complete (roughly two hours per 100GB). After that, the installer will prompt for an encryption passphrase, and then continue with the normal installation procedure.

At the last stretch of the installation, after all the required packages have been downloaded from the Internet and installed, you'll get the chance to install the GRUB boot loader. The installer is likely to suggest that GRUB should be installed on the internal disk, in order to achieve a dual boot configuration. You must instead install GRUB to the external disk.

Finally, the installer will attempt to reboot into your new system, but this step will fail until you make a few changes:

You must configure the computer BIOS to enable the option to boot from a USB device. The procedure differs depending on what BIOS your system uses, but it's usually easy to figure out.

GRUB sees the boot partition on the USB disk as the first partition of the first disk. The installer, however, treated the internal disk as the first disk. You need to edit grub/menu.lst to change the GRUB root to be (hd0,0) instead of something like (hd1,0). Fix the root line in every menu stanza and on the line that starts with # groot=.

The kernel may attempt to access the encrypted partition before the USB subsystem makes it available, causing the boot process to fail. Add rootdelay=10 to the kernel command line in every menu stanza in grub/menu.lst and at the line starting with # kopt=.

Following these fixes you should be able to boot the computer with the USB disk. In the process you'll be prompted for a passphrase to unlock the encrypted partition.

Going live

The system installed is already almost "live" in the sense that most hardware devices are automatically detected and configured during the boot process. However, some issues still remain to be resolved before you can take the USB disk to another computer.

The first issue to tackle is disk drive identification. The device path of the USB disk (e.g. /dev/sda if it came up as the first SCSI device) is hardwired by the installer into the crypt options inside the initial RAM file system (initrd image), the static encrypted file system list /etc/crypttab, and the file system table /etc/fstab. This is fine as long as the USB disk is mapped to the same device path as the one it was mapped to during the installation. However, the device path is liable to be different on another computer, or even on the same computer if, for example, another USB disk is attached.

You can get around this potential problem by referring to the partitions using their Universally Unique Identifiers (UUID), which you can determine by running the following command:

In this example, any reference in /etc/crypttab and /etc/fstab to /dev/sda1 and /dev/sda5 should be replaced with UUID=de018d5f-4dbc-4ed6-9724-4d5c793658aa and UUID=0897f48a-462d-4ec5-9ef1-a60574fa1182, respectively.

Once you've made changes to /etc/crypttab, you should run update-initramfs -t -u in order to fix the initrd image.

The other main problem is with the X server (i.e. the windowing system). It is configured during the installation process, and the setup is saved to the file /etc/X11/xorg.conf. If the hardware involved (display adapter, screen, keyboard, pointing device, etc.) is modified, you need to reconfigure the X server by running as root the command dpkg-reconfigure xserver-xorg.

It would be nice to avoid this when switching from one computer to the other. One option is to remove the file /etc/X11/xorg.conf so as to force the X server to autoconfigure itself. I had little luck with this approach, so I added the following at the end of the do_start function (just before the closing brace) in /etc/init.d/bootmisc.sh:

dpkg-reconfigure -fnoninteractive xserver-xorg

This should work as long as autodetection was selected for the display adapter and screen during the last time the X server was reconfigured interactively (such as during the installation process). This method also preserves the user's preferences for keyboard layouts.

You may experience problems in other areas, such as networking, but otherwise this setup should work as is on most machines.

Conclusion

It only took a straightforward install and minor modifications to a few files to get create a bootable live encrypted external hard drive. While the specific instructions above are bound to become stale as Linux, Debian, encryption standards, and computer hardware all evolve, I think it's safe to predict that setting up a bootable USB drive is bound to become even simpler in the future.

Avi Rozen is a senior R&D engineer at a company that develops machine-vision-based products.

Re: Running Debian GNU/Linux from an encrypted USB drive

Why would you setup a RAM drive for swap??? Swap is supposed to act as "virtual" RAM, so adding a swap drive in a RAM disk is just going to take away from the "real" available memory to the system and make it swap things out to the swap partition which is in RAM anyway...

Running Debian GNU/Linux from an encrypted USB drive

Very nice, the problem here is that the PC will then not boot without that drive attached. You have in effect made the USB drive a key to access any other OS on that computer.

So even for geek points you score a zero for this, if only because if doing as you suggest, you have bricked your system. Nor is the drive "portable" to another system without doing a GRUB install on it and turning a second machine into a brick.

Re: Running Debian GNU/Linux from an encrypted USB drive

Posted by: Avi Rozen
on February 19, 2008 08:29 PM

Well, my *experience* is different.
GRUB needs only to be installed on the USB disk.
No PC was harmed while writing this article: just remove the USB disk after shutting down your PC and reboot back into your old system.

Re: Running Debian GNU/Linux from an encrypted USB drive

If you've "bricked" your MBR on the main drive, you've not followed the instructions properly... If you install GRUB to the USB drive, it wont touch the MBR on the internal drive, hence if it worked before, it'll work after *provided* you follow the instructions...

Running Debian GNU/Linux from an encrypted USB drive

Glad to hear it Avi, however in playing with it some time ago (same person as above) that was my exact experience on several attempts. Luckily GRUB isn't that hard to work with, Three commands and the old GRUB install is back to working again. I might be inclined to caveat your article with backup backup and when in doubt backup.

Running Debian GNU/Linux from an encrypted USB drive

Currently I am running gNewSense from a USB drive. I had previously looked for information as to how (,and if it were possible) to install an operating system on a USB hard drive. I came to the the conclusion that it cannot be done, for all practical purposes. But I was considering whether it can be done or not with only the Microsoft Windows OS. Reading more about the freedom that free software provides has allowed me to choose to switch from Windows to software that has a license that I can agree to. I would also therefore like to thank the author, Avi Rozen.

Running Debian GNU/Linux from an encrypted USB drive

If your system booted before doing this, it will still boot after this even without the external drive plugged in. Therefore this does not "brick" the system. The GRUB mentioned here is the one installed on the external. The previous system presumably had a working bootloader which would become active in the absence of the external. The GRUB config on the external might not work on a different machine though.

Running Debian GNU/Linux from an encrypted USB drive

Advice there with LILO works fine, UUIDs recommended. Never tried GRUB.

I like the mobility and don't consider PCs 'bricks' just because I carry my OS around. One of them I even copied the USB's OS install to. A few trivial fstab/network tweaks and it's up and running independently.

P.S. Clarification

(Being clear: there is no 'brick' here - LILO is on USB, and if the PC has a hard drive OS, there is freedom to boot that or USB, and you can define LILO menus for it. Nice clean way to migrate off Windows in fact.)

Running Debian GNU/Linux from an encrypted USB drive

I remember that the Sidux live CD installer has an option to install directly into a USB drive, but I haven't tried it so I can't say if this is a tweakless approach. (www.sidux.com) In any case thank you Avi for taking the time and effort of writing this up, I always wondered how that worked.

Framing context

I was at a pharmacy and saw the little computer screen picture frames. If they don't allready provide these features, it seems a flash drive mounted to the picture frame could allow it to communicate with a local PC. If the picture frame was a touch screen it could be used as an alarm clock. The usb drive mite have a speaker. If the frame had a speaker or the usb drive sycronized with a sound system the pictures could have sound ( nature with birds and water) How bout a usb drive that a person can voice record into and play back then also download content to there PC. Also if a clam shell cell phone had three layers, the lowest layer could slide out to set next the the second midle layer to provide full function qwerty key board. This could also be applied to blackberry devices and I'v heard comments about using cross hand type piano configuration.

Running Debian GNU/Linux from an encrypted USB drive

If I change the /dev/sdb5 in crupttab to UUID=d1af70d8-7df1-443d-a048-b46d5002f543 when booting it says cannot find device UUID=d1af70d8-7df1-443d-a048-b46d5002f543 and throws me back to a shell. I rechecked the UUID's twice and there is no mistake there. Any hints?
By the way, thank you very much for this how to.
Erich from Peru

Running Debian GNU/Linux from an encrypted USB drive

Posted by: Avi Rozen
on March 01, 2008 08:31 AM

Are you installing Debian/testing?
Did you update the initrd image?
Please make sure you have cryptsetup version 2:1.0.6~pre1-1 (or up) installed. The UUID syntax is a fairly recent addition to cryptsetup.
It should also be possible to specify the device as /dev/disk/by-uuid/d1af70d8-7df1-443d-a048-b46d5002f543
[Modified by: Avi Rozen on March 01, 2008 09:11 AM]

Running Debian GNU/Linux from an encrypted USB drive

Posted by: Anonymous
[ip: 67.97.234.6]
on March 05, 2008 03:24 PM

Great article. This is just what I need as I'm starting to port some code from win32 to linux and would like the encryption as well. I installed on a computer that had no hard drive -- so the USB drive by default was (hd0,0). However, when I reboot after the install on the same machine -- there is an error about trying to load from /dev/xxx_crypt associated with /dev/sda2 etc. I can't remember verbatim off the top of my head. I did add the rootdelay=10 to the necessary grub lines. I had no # groot= or #kopt= lines.

Is it possible to boot using a live CD and mount that drive and edit the necessary files like /etc/crypttab and /etc/fstab? Any help would be greatly appreciated? Thanks again.

Re: Running Debian GNU/Linux from an encrypted USB drive

Posted by: Avi Rozen
on March 05, 2008 09:44 PM

This doesn't sound right at all... it should be /dev/sda5 (when installing encrypted partition + lvm), and the kopt and groot lines should definitely be there. I'd remove the "quiet" option from menu.lst, to see more info. You can also specify the crypt options on the kernel command line in menu.lst as follows: cryptopts=target=sda5_crypt,source=/dev/sda5,key=none,lvm=hostname-root (replace hostname with the hostname selected during installation). But I'm afraid that it looks like a reinstall is in order...

Running Debian GNU/Linux from an encrypted USB drive

Posted by: Anonymous
[ip: 67.97.234.6]
on March 06, 2008 04:11 PM

So, I suffered through the 3 hour LVM writing phase followed by the actual install again last night...only to come to the exact same results. So, I said what the heck and tried installing without the encryption, just a regular install. That went fine. I was able to reboot -- ONCE. Subsequent attempts to reboot resulted in hangs, with some kind of error message. One question I have is: with or without encryption, is it necessary to update /etc/fstab to use the UUIDs? That seems to be one of the problems. During the install, the hard drive is mapped to one device name and subsequent reboots it ends up getting mapped to a different device name. Thus, the UUID update to fstab should fix that...correct? Another point, is that after the encrypted install followed by a reboot, I was never prompted for a key phrase. Probably because it couldn't find root. Is there any way to make those changes prior to the reboot? I can live without the encryption. While it would have been nice, it's not critical. For now I just want/need to be able to boot reliably from the USB drive. Thanks.

Running Debian GNU/Linux from an encrypted USB drive

Running Debian GNU/Linux from an encrypted USB drive

Posted by: Anonymous
[ip: 67.97.234.6]
on March 07, 2008 11:39 PM

Avi, I just wanted to follow up. I finally got this up and running. For some reason, the ro option on the kernel line in grub's menu.lst file was causing serious problems. After I removed it, for some reason it was able to boot (I'm no Linux guru so I have no idea what the ro options does). Anyway, after that I was able to get back in and modify /ect/crypttab and /etc/fstab accordingly.

Now the only other thing I'm wondering about is whether or not it would be possible to set up two xorg.conf files -- one for each machine that I'll be using this USB drive with. One machine has an NVidia card in it and the other an ATI card -- say like, xorg.conf_nv and xorg.conf_ati. Always boot to run level 2 and rename the requisit xorg.conf file and then start X? The renaming could probably be automated with a script etc. Would something like that work?